---
title: Where do I go from here?
course: intro_pentest
section: Exploitation
layout: lesson
---

At this point, you should have a solid understanding of the basic steps required
to exploit and gain access to a system. Remember: your attack methods change
based on your target and desired goal. Now that you understand the basics, you
should be ready to tackle some more advanced topics.

You should take some time and review the password brute forcing tool Hydra. This
tool functions much like Medusa but provides a few extra parameters to give you
some additional options. Carefully review each of the switches supported by
Hydra. It’s recommended that you pay special attention to the timing option. The
ability to control the time or rate of connections is handy for correcting many
connection errors that occur when we utilize online password crackers.

Along with your own personal password dictionary, you should begin building a
list of default usernames and passwords for various network devices. As you
progress in your penetration testing career, you’ll probably be surprised at how
often you’ll come across devices like routers, switches, modems firewalls, etc.,
that still use a default username and password. It is not uncommon to find PT
stories where the penetration tester was able to take complete control of a
boarder router and redirect all internal and external traffic because the
company administrator had forgotten to change the default username and password.
It does little good to spend time configuring and securing your device if you
fail to change the username and password. There are several good starter lists
of default usernames and passwords available online.

Another great tool for password cracking is RainbowCrack. RainbowCrack is a tool
that relies on Rainbow tables to crack passwords. A rainbow table is a
precomputed list of password hashes. Recall that traditional password-cracking
tools like John the Ripper go through a three-step process. First, the tool must
generate a potential password; next, the tool needs to create a hash of the
chosen word; and finally, the password-cracking tool has to compare the
generated hash with the password hash. Rainbow tables are much more efficient
because they make use of precomputed password hashes. This means that the
cracking process reduces two out of the three steps and simply needs to compare
hashes to hashes.

There are lots of great tools that can be explored and used for sniffing. It is
highly recommended that you spend time getting to know and use Wireshark. This
course covered only the basics, but Wireshark is a deep program with many rich
features. You should learn how to use the filters, follow data streams and view
information on specific packets. Once you are comfortable with Wireshark,
digging into dsniff is highly recommendable. As mentioned earlier, dsniff is an
incredible suite with tons of great tools. With some self-study and practise,
you can even learn to intercept encrypted traffic like SSL.

Ettercap is another fantastic tool that has many powerful features and
abilities. Ettercap is a great tool for conducting man-in-the-middle attacks.
Ettercap works by tricking clients into sending network traffic through the
attacker machine. This is a great way to get usernames and passwords from
machines on the Local LAN. Once you have successfully studied and used
Wireshark, dsniff and Ettercap, you’ll be well to mastering the basics of
network sniffing.

After reviewing and understanding the basics of Metasploit, you should dig in
and learn the details of the Meterpreter payload. There are dozens of switches,
commands and ways to interact with the Meterpreter. You should learn and
practise them all. Learning how to control this amazing payload will pay
mountains of dividends in your exploitation career. It is important that you
understand using Metasploit in combination with the Meterpreter is one of the
most lethal amalgamations available to a new penetration tester. Don’t
underestimate or overlook this powerful tool.

Until now only automated attacks have been discussed. Even though it can be
extremely entertaining to push buttons and pwn remote systems, if you never
advance your skill level beyond this point, you’ll be a Script Kiddie forever.
Initially, we all start out as a person who must rely on other to develop and
release new exploit tools, but to become truly elite you’ll need to learn how to
read, write and create your own exploits. While creating your own exploits may
seem daunting at first, it is a process that become much easier the more you
learn. A good place to start learning about exploitation is by getting to know
buffer overflows.

Stack and heap based buffer overflows, which are responsible for many of the
exploits available today, often seem like magic or voodoo to newcomers. However,
with some dedicated and careful self-study, these topics can be demystified and
even mastered.

Advancing your skill level to the point of being able to find buffer overflows
and write shell code often requires some additional training. Although this
training is not strictly required, it certainly makes the process of learning
advanced exploitation much easier. Whenever possible, you should spend time
learning a programming language like “C”. Once you are comfortable with C, you
should focus on understanding at least the basics of Assembly Language. Having a
solid understanding of these topics will help dispel much of the “black-magic”
feel many people have when they first encounter buffer overflows.
